Webcast Replay | Anatomy of a Data Breach

Industry veterans Brian Lapidus and David White recently hosted a 40-minute dive into data breaches, how to expedite your response and what to expect when facing a breach of sensitive data, regardless of how it happens. The session was followed by live Q&A.

Together, Brian and David have responded to thousands of data breaches worldwide and supported over 300 million customers safeguard their identity.

Who it’s for: Suitable for anyone on your organization’s breach response team, from information security to risk management and compliance. If you don’t have a breach response team, congratulations—you’re it. We help you figure out who needs to be involved when a breach is discovered and how to stay calm while your hair is on fire.

Watch the Webcast Replay

This webcast covers:

Breach basics: the terms, the timeline, what to expect
Where to spend your time (and budget) as you pre-plan for the inevitable
The results: we’ll share some personal stories and stuff we wish we could tell our clients

Download webcast slides.

Notable Passages From the Presentation

On Understanding Breaches

Every single breach is different, whether it's from the entity that's had the incident versus the data that's impacted, or even the consumer base that might also be impacted there. – David White

On What Clients Ask

If we notify, are we accepting responsibility or liability for the breach? Next, what have you done for international clients to help them respond? This is a mature concept in other countries, in the U.S. how do we deal with this in the other markets? Next, how do I deal with different country or state regulators? – Brian Lapidus

What do you need to be mindful as a part of response? How do you take into account cultural nuances in different countries around this requirement? What is the potential impact of doing nothing?

How am I supposed to pay for this? The cyber liability insurance space covers parts of these events and doesn't cover other parts of these events. And so while the organization may have a policy, they may not know the details of that policy. – Brian Lapidus

On Privacy Regulations

Organizations are going to have to notify either regulators or their customers when they breach someone's privacy. When they breach an organization's privacy, when they breach a consumer's privacy, they are all of a sudden going to have responsibilities that they did not have five years ago. And making sure that they can manage that, handle it and act against it is really going to be a game changer for businesses and companies around the world. – Brian Lapidus

On the Most Common Breach Trends by Industry While certain countries will have very stringent or more stringent healthcare, privacy regulations, I think there's a common factor here. The data that is held by healthcare organizations can be everything from fairly benign through to the most sensitive data available in that industry. And I think if any of that data is made public, there are huge and very significant and damaging effects of that. – David White

If you think about the amount of data that a finance company will have on you, yes, they've got the name, date of birth and address, but they've also got how many loans have you got, have you got car finance, were you rejected for some finance? And I think when you start to put all that information together, actually you can do a lot of damage to an actual individual with regards to identity theft, because you can start to answer some of those financial questions on their behalf. – David White

The amount of data that technology is capturing these days is huge. And I think as they capture that data and they're able to aggregate that data together, that then creates a very powerful amounts of information that they have both at the aggregate level, but also on specific individuals as well. – David White

On Smaller Breaches

When we talk with our forensic peers, they will often say to us, well, initially, a breach may have thought it was a million people, but actually after some forensic analysis, that number has come down and quite often it's not the whole data set that's been impacted. So, therefore, just understanding and having a process for a smaller breach is important. – David White

The number of breaches that are being reported are still increasing. And you can see here that nearly 120,000 breaches in the EU were reported last year. And the number of fines are also going up. I think that will continue to go up as more and more, as Brian was saying more and more regulations come out and they're attributing potential fines to those regulations. – David White

On Who’s Involved

All breaches are different and the types of people and the types of departments that are involved changes. And it's really interesting to see how different organizations deal with it. Counsel will usually be involved in some way, shape or form whether that's internal counsel or whether it's external.– David White

On What to Expect When You're Not Expecting a Breach

So, the first piece and the first recommendation is make sure you run a proper investigation. You have to understand what happened to truly mitigate the risk around it. So, I can tell you that when clients come to us and say, "Hey, we need your help in notifying." We always go back to the beginning to say, do you know what happened? We've had clients who have notified then tried to figure out what happened and they've wasted a ton of money because they did not have a notifiable event. They actually did not have an exposure. And so using forensics and understanding what happened is really, really important. – Brian Lapidus

From a stakeholder perspective, you want to make sure that you have all of your key stakeholders, your leadership involved. And here's why I know a lot of organizations say, "Ah, I want to keep the C-suite out of this, I need to keep them apprised," but you would be surprised at the level of involvement that a C-suite wants to have in this, especially as it relates the communication. – Brian Lapidus

From a pre-announcement perspective, you have to understand where your data is and know what your data is. And so part of our process is to help make sure that you have a one-to-one ratio of your communication. If I'm letting David know that his data was compromised, I'm letting David know once. That's beneficial from a cost perspective, but it also is beneficial from a credibility perspective. – Brian Lapidus

After the event, the most common mistake is not planning for the future. Making sure that your board, your GC, your leadership team understands that this is probably going to happen again. What do you do differently next time? You've done it once, they're going to always be things you could do different or better not taking that opportunity is a mistake. – Brian Lapidus

On the Implications of a Data Breach

When you have one of these events, you have the cost to mitigate it, you have the cost for compensating affected consumers or individuals that were impacted by your privacy event, you have regulatory penalties and fines tied to it. – Brian Lapidus

You have reputational damage from an organizational perspective. The length of that organizational reputational damage is dependent on how you handle this event. We have seen organizations that come out of these events actually have built stronger relationships with their customers because of how they've handled it. So, it's possible to make this a win between you and your stakeholders and your customers, as opposed to a loss. Now it takes effort and it takes a real focus to make that happen, but it's important. – Brian Lapidus

Legal action litigation is a part of this, be it from stakeholders, be it from third parties, be it from consumers. Managing that increase in litigation that comes from these events from a cost and service delivery perspective and a psyche of the organization. When you have 30 class action lawsuits facing you, in addition to your normal course of business, again, is a challenge that you as a business need to be mindful of. – Brian Lapidus

On Challenges of a Breach

If you try and operate too quickly, the chances are that will be something that will go wrong either potentially it will cost you more because you'll be notifying a population you may not need to, or you may just get things wrong. But speed is really important because I think for a couple of jurisdictions out there, they have regulatory requirements and where either the entity has to report this to the regulator and or to the consumers as well. And those dates are generally fixed. And so for some of them they can be 60 days. So that first 30 days can feel like quite a long time. And then actually as you start getting closer to that, it starts to become really critical. – David White

On Key Takeaways

You want to match your remedy to risk. So, if as an organization you lose just the client's name, do you have requirements to notify in some markets? Absolutely. If you lose their name, their social insurance number, medical prescription history, medical diagnosis, that's a different ball game. It's a different ball game. And so understanding the risk that you're causing based on the data that's been compromised is really important. And providing a remedy, be it credit monitoring, or dark web monitoring, or some sort of solution that matches that need is very, very important. – Brian Lapidus

Avoid the blame game. There's something about being accountable. If you had the data, but you gave it to a third party, your customers, your clients, your employees aren't going to look to that third party, they're looking at you. And so we have found that owning it is far better than deflecting and blaming someone else. – Brian Lapidus

As it relates to communication, be thoughtful and clear, understand what you're saying, make sure you're stating the facts. The more you know upfront, allows you and enables you to be more thoughtful and clear when it's time to communicate, because you know what's happened, you have a plan and you're working against your plan and you're sharing that information with the public. – Brian Lapidus

Apologize. I really don't think there's an expectation of perfection. Customers, partners, vendors, they may be annoyed, but they don't expect perfection. Empathy goes a long way in making this happen making it go away, so that apology and making sure it's sincere is important. – Brian Lapidus

The law is the law and the timetables are the timetables. And they're non-negotiable, there's not an asterisk next to the timeline requirements, the regulatory requirements for notification. And so is there a sensitivity around it? Is there some flexibility? Likely yes, but the timelines are important and they're not negotiable upfront. And so making sure that you are acting quickly and demonstrating that speed is important.– Brian Lapidus

On Preparing for a Breach

Know where your customer data is. Any PII you have, know where that is and how you can retrieve it quickly. Make sure you know who your stakeholders are when this happens, know that you want them at the ready, and I want you to contingency plan for those stakeholders. One of the things that we do when we talk with our clients before an event is, and we do a tabletop exercises, is we want to make sure that they know who their main stakeholders are. – Brian Lapidus

Be prepared to pivot and change. There are always curve balls thrown in, and those curve balls can be, and we've given some examples about whether they're internal within your organization, whether they're from a regulator or whether they're from a consumer or a client, but they will generally have one. And as the saying goes, no battle survives first contact with the enemy. – David White